Hello Hackers,

Hope you guys Doing well and hunting lots of bugs and Dollars !

Well, let’s start and learn about Information disclosure and methodologies to find them.

What is Information disclosure ?

Information disclosure is when a web application fails to properly protect confidential information, which causes revealing sensitive information or data of the users or anything related to users to any third party.

It uncovering information like:-

• Data about the users, such as username, credit card information, or some personal details which are listed by the web application.
• Technical details about the web application and their back-end data.
• some commercial data.

Information disclosure is not always exploitable directly, because sometimes they allow hackers to gather information for further attacks but it doesn’t mean that you can’t exploit it. It always depends on what types of information web applications are revealing, sometime it will have a serious impact.

why information disclosure occurred?

• Bad configuration
• using a poorly designed application
• Fails to remove sensitive content from public content

Different types of information Disclosure issue:-

Banner Grabbing

Banner grabbing is a process of collecting information like operating system, server details, the name of service running with its version number, and a lot of information about it.

https://hackerone.com/reports/460556

Source Code Disclosure

This occurs when the code of the back-end environment of a web application is exposed to the public. If source code files are disclosed then an attacker may use such information to discover logical flaws. This is highly impact able.

https://hackerone.com/reports/211418

Filename and File path disclosure

This can happen due to incorrect handling of user input, exceptions at the back-end, or inappropriate configuration of the web server. Sometimes such information can be found or identified in the responses of the web applications, error pages, debugging information, etc.

https://hackerone.com/reports/979110

Inappropriate handling of sensitive data

This can happen when sensitive data is not removed from the source code or somewhere else. Some data like username, password, or some important comment can be present there which may reveal some sensitive data. There are lots other possibilities .

Common sources of information Disclosure:-

• Error messages
• Debug messages
• backup files
• developer comments in HTML source code
• server and database messages
• Using public information

Possible ways to find information Disclosures:-

• use google Dorking, shodan, and GitHub Dorking for finding public information.
• Always look carefully at HTML source code, Debug messages, and error messages.
• Do content discovery and try to access it by various bypassing techniques.

How to prevent Information Disclosure attacks :-

• Configure the web server to disallow directory listing and make sure that the web application always shows a default web page.
• Sensitive data, files and any other item of information that do not need to be on the web servers should never be uploaded on the web server.
• Use generic error messages as much as possible. Don’t provide attackers with clues about application behavior unnecessarily.
• Make sure that all the services running on the server’s open ports do not reveal information about their builds and versions.
• Do not hard code credentials, API keys, IP addresses, or any other sensitive information in the code, including first names and last names, not even in the form of comments.

Hope this is useful for you guys

Happy Hacking !